ci(github): update workflows to use ubuntu-24.04 runners (#12251)

GitHub is upgrading the `ubuntu-latest` runners to `ubuntu-24.04`. We
need to make sure our CI still works as expected. I also suggest pinning
the runner image version instead of using `ubuntu-latest`.

<!--
> Changelog: skip
-->
<!--
Uncomment the above section to explicitly set a [`> Changelog:` entry
here](https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#submitting-a-patch)?
-->

Signed-off-by: Bart Smykla <[email protected]>

Author: bartsmykla

.github/workflows/_build_publish.yaml

@@ -44,7 +44,7 @@ env:
 jobs:
   build-binaries:
     timeout-minutes: 40
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     outputs:
       BINARY_ARTIFACT_DIGEST_BASE64: ${{ steps.inspect-binary-output.outputs.binary_artifact_digest_base64 }}
     steps:
@@ -88,7 +88,11 @@ jobs:
         run: |
           make publish/pulp
   build-images:
+<<<<<<< HEAD
     runs-on: ubuntu-22.04 # pining to this version since we use older base image for kuma-init and we don't want to change it since it can break users environment
+=======
+    runs-on: ubuntu-24.04
+>>>>>>> 79dbceeef (ci(github): update workflows to use ubuntu-24.04 runners (#12251))
     timeout-minutes: 30
     strategy:
       fail-fast: false
@@ -195,7 +199,12 @@ jobs:
           registry_password: ${{ secrets.DOCKER_API_KEY }}
   digest-images:
     needs: [build-images]
+<<<<<<< HEAD
     runs-on: ubuntu-latest
+=======
+    runs-on: ubuntu-24.04
+    if: ${{ fromJSON(inputs.ALLOW_PUSH) }}
+>>>>>>> 79dbceeef (ci(github): update workflows to use ubuntu-24.04 runners (#12251))
     outputs:
       DIGESTS: ${{ steps.compute-digests.outputs.digests }}
     steps:
@@ -213,7 +222,7 @@ jobs:
   publish-helm:
     needs: [build-images]
     timeout-minutes: 10
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:

.github/workflows/_test.yaml

@@ -18,7 +18,7 @@ jobs:
   test_unit:
     timeout-minutes: 20
     if: ${{ !contains(github.event.pull_request.labels.*.name, 'ci/skip-test') }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
@@ -39,7 +39,7 @@ jobs:
           make test
   gen_e2e_matrix:
     timeout-minutes: 2
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     outputs:
       matrix: ${{ steps.generate-matrix.outputs.matrix }}
     steps:

.github/workflows/auto-merge.yaml

@@ -13,7 +13,7 @@ permissions:
 jobs:
   approve-and-auto-merge:
     timeout-minutes: 10
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: contains(github.event.pull_request.labels.*.name, 'ci/auto-merge')
     permissions:
       pull-requests: write

.github/workflows/bom.yaml

@@ -7,7 +7,7 @@ permissions: read-all
 jobs:
   sbom:
     timeout-minutes: 10
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1

.github/workflows/build-test-distribute.yaml

@@ -21,7 +21,7 @@ jobs:
       # golangci-lint-action
       checks: write
     timeout-minutes: 25
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     env:
       FULL_MATRIX: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'ci/run-full-matrix') }}
       ALLOW_PUSH: ${{ github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'ci/force-publish') }}
@@ -85,7 +85,11 @@ jobs:
     uses: ./.github/workflows/_test.yaml
     with:
       FULL_MATRIX: ${{ needs.check.outputs.FULL_MATRIX }}
+<<<<<<< HEAD
       RUNNERS_BY_ARCH: ${{ (github.event_name == 'push' || github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) && '{"amd64":"ubuntu-latest-kong","arm64":"ubuntu-latest-arm64-kong"}' || '{"amd64":"ubuntu-latest","arm64":""}' }}
+=======
+      RUNNERS_BY_ARCH: ${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) && '{"amd64":"ubuntu-latest-kong","arm64":"ubuntu-latest-arm64-kong"}' || '{"amd64":"ubuntu-24.04","arm64":""}' }}
+>>>>>>> 79dbceeef (ci(github): update workflows to use ubuntu-24.04 runners (#12251))
     secrets: inherit
   build_publish:
     permissions:
@@ -124,7 +128,7 @@ jobs:
     needs: ["build_publish", "check", "test", "provenance"]
     timeout-minutes: 10
     if: ${{ always() }}
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       contents: write
       actions: read # For getting workflow run info

.github/workflows/check.yaml

@@ -12,7 +12,13 @@ permissions:
 jobs:
   commit-lint:
     timeout-minutes: 10
+<<<<<<< HEAD
     runs-on: ubuntu-latest
+=======
+    runs-on: ubuntu-24.04
+    permissions:
+      pull-requests: write
+>>>>>>> 79dbceeef (ci(github): update workflows to use ubuntu-24.04 runners (#12251))
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Check PR title

.github/workflows/ci-stability.yaml

@@ -0,0 +1,82 @@
+name: Check CI stability for PRs with "ci/verify-stability" or "ci/verify-stability-merge-master" label
+
+on:
+  schedule:
+    # Monday to Friday: Every 2 hours from 7 PM to 7 AM CEST
+    - cron: "0 17 * * 1-5"
+    - cron: "0 19 * * 1-5"
+    - cron: "0 21 * * 1-5"
+    - cron: "0 23 * * 1-5"
+    - cron: "0 1 * * 2-6"
+    - cron: "0 3 * * 2-6"
+    - cron: "0 5 * * 2-6"
+    # Saturday and Sunday: Every 2 hours all day
+    - cron: "0 */2 * * 6,0"
+  workflow_dispatch:  # Allows manual trigger from GitHub Actions UI
+env:
+  GH_USER: "github-actions[bot]"
+  GH_EMAIL: "<41898282+github-actions[bot]@users.noreply.github.com>"
+jobs:
+  trigger-ci:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Generate GitHub app token
+        id: github-app-token
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{ steps.github-app-token.outputs.token }}
+      - name: Get open pull requests and save to file
+        run: |
+          gh pr list --json number,labels > open_prs.json
+        env:
+          GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }}
+      - name: Process PRs
+        id: process_prs
+        run: |
+          cat open_prs.json
+          pr_numbers_with_verify_stability=$(jq -r -c '.[] | select(.labels[]?.name == "ci/verify-stability") | .number' open_prs.json | tr '\n' ' ')
+          pr_numbers_with_verify_stability_merge_master=$(jq -r '.[] | select(.labels[]?.name == "ci/verify-stability-merge-master") | .number' open_prs.json | tr '\n' ' ')
+          echo "PRs with 'ci/verify-stability' label: $pr_numbers_with_verify_stability"
+          echo "PRs with 'ci/verify-stability-merge-master' label: $pr_numbers_with_verify_stability_merge_master"
+          echo "pr_numbers_with_verify_stability=$pr_numbers_with_verify_stability" >> $GITHUB_OUTPUT
+          echo "pr_numbers_with_verify_stability_merge_master=$pr_numbers_with_verify_stability_merge_master" >> $GITHUB_OUTPUT
+        env:
+          GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }}
+      - name: Merge master branch (if applicable) and push a single commit
+        if: steps.process_prs.outputs.pr_numbers_with_verify_stability != ''
+        run: |
+          eval "pr_numbers=(${{ steps.process_prs.outputs.pr_numbers_with_verify_stability }})"
+          for pr_number in $pr_numbers; do
+            current_datetime=$(date +"%Y-%m-%d %H:%M:%S")
+            echo "Processing PR #$pr_number"
+
+            # Fetch PR details to get the base branch (original branch name)
+            pr_branch=$(gh pr view $pr_number --json headRefName --jq '.headRefName')
+            echo "The original branch for PR #$pr_number is $pr_branch"
+            git fetch origin pull/$pr_number/head:$pr_branch
+            git checkout $pr_branch
+
+            git config user.name "${GH_USER}"
+            git config user.email "${GH_EMAIL}"
+          
+            # Check if the PR needs to merge with master
+            if echo "${{ steps.process_prs.outputs.pr_numbers_with_verify_stability_merge_master }}" | grep -wq "$pr_number"; then
+              echo "Merging master into PR #$pr_number"
+              git fetch origin master
+              git merge origin/master --no-ff --no-commit
+              git commit --allow-empty -m "Merge master into PR #$pr_number"
+            fi
+          
+            # Commit an empty commit to trigger the CI
+            echo "Pushing empty commit to trigger CI for PR #$pr_number on $current_datetime"
+            git commit --allow-empty -m "Trigger CI for PR #$pr_number on $current_datetime"
+            git push origin $pr_branch
+          done
+        env:
+          GITHUB_TOKEN: ${{ steps.github-app-token.outputs.token }}

.github/workflows/codeql.yaml

@@ -9,7 +9,7 @@ jobs:
   analyze:
     timeout-minutes: 30
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       actions: read
       contents: read

.github/workflows/merge-release-to-master.yaml

@@ -11,7 +11,7 @@ permissions:
   contents: read
 jobs:
   release:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:

.github/workflows/pr-comments.yaml

@@ -12,7 +12,7 @@ jobs:
   pr_comments:
     timeout-minutes: 30
     if: github.event.issue.pull_request != '' && (contains(github.event.comment.body, '/format') || contains(github.event.comment.body, '/golden_files'))
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Generate GitHub app token
         id: github-app-token